WhatsApp laid bare: Info-sucking app's innards probed

Popular chat app collects and transmits data, warns paper

Users of WhatsApp need be aware that the popular messaging service collects phone numbers, call duration and other information, according to new research.

A network forensic examination by computer scientists at the University of New Haven found that WhatsApp uses the FunXMPP protocol, a binary-efficient encoded Extensible Messaging and Presence Protocol (XMPP), for message exchange.

Decrypting the network traffic isn’t simple, the researchers discovered, as both access to data on the device and full network traffic is required.

The computer scientists decrypted the WhatsApp client connection to the WhatsApp servers before viewing exchanged messages using a bespoke command-line tool they created.

By analysing signalling messages exchanged during a WhatsApp call using an Android device, the researchers were able to closely examine the authentication process of WhatsApp clients; discover what codec WhatsApp is using for voice media streams (Opus at 8 or 16 kHz sampling rates); understand how relay servers are announced and the relay election mechanism; and understand how clients announce their endpoint addresses for media streams.

Looking at network traffic allowed the boffins to see the types of data the mobile app used to set up a call. This data included WhatsApp phone numbers, WhatsApp phone call establishment metadata and date-time stamps, as well as WhatsApp phone call duration metadata and associated date-time stamps. They also were able to acquire WhatsApp's phone call voice codec (Opus) and WhatsApp's relay server IP addresses used during the calls.

The researchers reckon they are the first to probe how WhatsApp uses signalling messages to establish voice calls.

A paper about the study, entitled WhatsApp Network Forensics: Decrypting and Understanding WhatsApp Call Signaling Messages, was published in the scholarly journal Digital Investigation. The article was co-authored by F. Karpisek of Brno University of Technology in the Czech Republic, and Ibrahim Baggili and Frank Breitinger, co-directors of the Cyber Forensics Research & Education Group at the University of New Haven.

“Our research demonstrates the type of data that can be gathered through the forensic study of WhatsApp and provides a path for others to conduct additional studies into the network forensics of messaging apps,” said Baggili.

WhatsApp has more than 800 million users worldwide. The service was acquired by Facebook in 2014 for $19bn. ®